On Fri, 14 Aug 2009, Evan Hunt wrote:
The truth is that E is a hard limit, so the range you get is E-J to E.
So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
from S to E.
S, in this case, is an hour in the past. I guess that accounts for the
already-expired signatures you're finding.
Note that the cycle interval (-i) doesn't enter into this calcuation at
all.
Okay. That clears things up. Is there a reason why the -i value cannot
be added to S? so that we get a range of s+i to e-j with e-j > s+i or
else we give an error (since we'd be signing without jitter while using "-j")
There really isn't any interaction between -i and the others. All it says
is that when you're re-signing, if a signature will expire within the
time set by -i (or defaulting to 7.5 days if -i was not set), drop that
signature and sign the corresponding record again.
It does not make much sense though, to generate signatures with the -j
paramter, that would get instantly replaced because of the -i parameter.
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
